Securing web sites with HTTPS made them less accessible

Securing web sites with HTTPS made them less accessible(thenextweb.com)

11 points by jwfxpr 7 years ago | 13 comments

r3bl 7 years ago |

Original article discussed here (87 points, 46 comments): https://news.ycombinator.com/item?id=17707187

Freak_NL 7 years ago |

> Google, Wikipedia

Caching Google makes no sense beyond some static resources. Wikipedia can be made available off-line, just not by using a man-in-the-middle server. This may make sense for a school with limited connectivity to do.

> That’s great for modern browsers, but not everyone has the option to be modern. Sometimes they’re constrained by old operating systems to run older browsers, ones with no service-worker support: a lab full of Windows XP machines limited to IE8, for example.

You don't have the option to run legacy browsers and expect everything to work.

Just don't use a legacy proprietary OS if you want to go on-line with it. Either install a free (as in gratis, but libre makes sense too) operating system, pay for the windows upgrades, or scrap the computers.

mehrdadn 7 years ago | |

> Caching Google makes no sense beyond some static resources.

Really? So you cannot make any sense of the idea of caching, say, news articles? Blog posts? Software documentation? StackOverflow Qs/As? The cached pages are 100% useless in your mind?

majewsky 7 years ago | | |

All of those are not Google. OP was probably thinking of SERPs.

mehrdadn 7 years ago |

Regarding the caching problem, is there no way to trust a locally signed certificate that your caching server uses so that you can cache over HTTPS?

georgecalm 7 years ago | |

It’s possible and is what Charles and MITM proxies do. Specifically, Charles generates its own certificates for sites, which it signs using a Charles Root Certificate. So the clients of this proxy would accept the proxy’s CA and continue as usual. This of course does make browsing less secure, as a compromised proxy negates the security of https of all of the proxied websites. A slightly more secure but less efficient caching solution is to install the proxy locally, but then, of course, the cache isn’t shared.

mehrdadn 7 years ago | | |

Can local certificates not be restricted to the few domains you want cached, so that the user can be sure their browser isn't using the local proxy's certificate for anything other than the sites approved on the certificate (like Wikipedia)? I would've thought this is possible, but if not, I feel like browsers should implement the ability to restrict local certificates to specific sites. It shouldn't be hard. They'd obviously have to still upgrade their browsers but then they wouldn't have to twiddle their thumbs waiting for every website to implement its own service workers (or not end up doing so).

moviuro 7 years ago |

1. webpages are fat, and no many care [0] Some other recent HN submissions compared page weight to the number of words in Moby Dick - and it's just as bad as one can think.

2. Blaming HTTPS is stupid. Intercepting http without the user knowing was a bad practice to begin with. Setting your own computer to use an HTTPS proxy sounds reasonable, though I understand it's quite a PITA. Having the user jump through difficult and scary messages could be a good feature IMO: "Setting up an https proxy can compromise your information such as bank account numbers, your passport information, your religious and political penchants, etc." As for technological solutions for one's home or organization: see Squid, which does provide examples [1].

[0] Wikipedia does care actually as it uses local cache a lot, and text-only articles such as https://en.wikipedia.org/wiki/Project_Xanadu used only 271 kB; https://en.wikipedia.org/wiki/United_States is around 5MB)

[1] https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBum...

mehrdadn 7 years ago | |

> Intercepting http without the user knowing was a bad practice to begin with.

It baffles me that you assert this as an absolute truth. This is just your opinion, shaped by the environment you've lived in. It is perfectly possible that another person just as sane and knowledgeable as you would have different priorities than you do, especially when their experiences are different than yours.

m0nty 7 years ago | |

> Intercepting http without the user knowing was a bad practice to begin with

A proxy and strict filtering of media files was essential when I ran a school's network using dual ISDN lines to connect to the Internet. Slightly analagous to the situation in OP except that it actually worked quite well.